Not to detract from the other comments, but I got one really good reply below that outlined 3 advantages of OpenID in a rational bottom line kind of way. I've also heard some whisperings in other comments that you can get access to some details on the user through OpenID (name? email? what?) and that using that it might even be able to simplify the registration process by not needing to gather as much information.

Things that definitely need to be gathered in a checkout process:

Full name

Email

(I'm pretty sure I'll have to ask for these myself)

Billing address

Shipping address

Credit card info

There may be a few other things that are interesting from a marketing point of view, but I wouldn't ask the user to manually enter anything not absolutely required during the checkout process. So what's possible in this regard?

/Edit

(You may have noticed stackoverflow uses OpenID)

It seems to me it is easier and faster for the user to simply enter a username and password in a signup form they have to go through anyway. I mean you don't avoid entering a username and password either with OpenID. But you avoid the confusion of choosing a OpenID provider, and the trip out to and back from and external site.

With Microsoft making Live ID an OpenID provider (More Info), bringing on several hundred million additional accounts to those provided by Google, Yahoo, and others, this question is more important than ever.

I have to require new customers to sign up during the checkout process, and it is absolutely critical that the experience be as easy and smooth as possible, every little bit harder it becomes translates into lost sales. No geek factor outweighs cold hard cash at the end of the day :)

OpenID seems like a nice idea, but the implementation is of questionable value. What are the advantages of OpenID and is it really worth it in my scenario described above?

Is there a particular reason that your customers need an account on your site? I tend to distrust such transactions, unless I'm purchasing services that I expect to log into.
–
eswaldAug 23 '09 at 1:21

Should be wiki. You are asking for opinions and business-models.
–
SampsonAug 23 '09 at 1:31

What is the checkout? Are they buying something?
–
MartinAug 23 '09 at 1:35

15 Answers
15

I respect your need for a business reason to use OpenID rather than a tech-geeky reason. So here it is:

Reason #1

OpenID is way easier than username+password. "Oh no", I hear the responses now, "OpenID is confusing and scary for users. They'll run away." That's why you don't tell the user it's OpenID. Just offer Yahoo and Google buttons and say "use an account you already have" or something to that effect. Users will love you. Underneath you're using OpenID, but don't advertise the fact, and perhaps don't even offer an OpenID text field, until OpenID becomes more mainstream.

A strong majority of users are already logged into Yahoo or Google, so "Click here to log in using your Google/Yahoo account" buttons will mean it's faster and easier for your customers -> more sales.

Reason #2

Do it for your customers, even if they're not asking for OpenID. OpenID is more secure than username+password, since your customers won't be reusing the same username+password on your site as all their other sites. It's bad security to reuse username+password across web sites, but that's what users do. Using OpenID (without telling them) to get them to reuse their existing [pick your small list of major OPs here] accounts will mitigate this and give your users added security. If your site is hacked, their credentials won't be stolen. And if other sites your customers have accounts with are hacked, there's a good chance your customers account with you won't be compromised.

Reason #3

Fewer support calls and web pages to support users who forgot their passwords.

For people who don't know what OpenID is, and you just show a Google or Yahoo button, they will run away because they will think you are stealing their account user name and passwords.
–
MartinAug 23 '09 at 1:37

4

Martin, perhaps a few people would. Many people who log into web sites that accept an "email address" for a username and a password not only reuse the same password across sites, but use their email password for it. Most people don't even know what it means to be phished, let alone when it's happening. It's sad, but the truth. Those that know tend to be able to look at the Location bar and see that they're indeed sending to yahoo.com. Remember that OpenID didn't introduce "Login with Yahoo!". That button's been around for a long time.
–
Andrew ArnottAug 23 '09 at 2:44

Finally someone who presents a good argument for using OpenID on an e-commerce website! You are swaying me.
–
EloffAug 23 '09 at 2:57

Excellent answer. #2 is exactly the point I tried to make in comments to my answer, just presented more clearly. :) And nice, outside-the-box thinking in #1 and #3.
–
JonikAug 24 '09 at 22:17

2

Eloff, well I'd say maintaining your customers online security is within the interest of an e-commerce site at least insofar as it protects the site from purchases made by identity thieves, resulting in the merchant having to not be reimbursed by the credit card companies.
–
Andrew ArnottAug 25 '09 at 2:30

What I like most about OpenID is that it doesn't feel like I'm creating an account at all. It's more like I already have an account for the entire Web, and StackOverflow is taking notice of it when I log in. I'm really tired of having to create a new "identity" on every site I run across because they want to have a bigger user count.

I also like that sites that (only) use OpenID tend to make the whole account experience more flexible: no email confirmation required, no enforced-unique usernames, use of Gravatar, etc. The upside is that there is no registration; I just log in like I was already here.

+1. Well put; it does feel like that ("account for the entire Web")
–
JonikAug 22 '09 at 22:57

Your user count can grow despite having OpenId. I use OpenID authentication but when the id_token reaches the server I create a new "user id" in my database. I agree with your comments. I also believe OpenID sites make a better user experience overall. There is some kind of registration though, as I said, the first time the user logs into your web app using OpenID, your web app can store the user Id and then if the user cancels the "registration" (and you should provide that option), your web app should remove that user id from the system.
–
reala valoroMay 13 at 1:32

It seems to me it is easier and faster for the user to simply enter a username and password in a signup form they have to go through anyway.

I think, on the contrary, that often it's easier and less of a hassle if the user can login with his existing OpenID, instead of creating separate credentials for every site. (Isn't that the main point about it.)

I frequently use the same credentials everywhere (if the username was available at Microsoft or Google, odds are it is everywhere else I go too.) And I can do that without ever leaving the sign-up page. So if that's the main point of OpenID, then it doesn't have much point at all does it?
–
EloffAug 22 '09 at 20:53

2

I think he was referring to the case where the user has no existing OpenID (and must sign up either way)
–
CameronAug 22 '09 at 21:49

1

@Eloff, I've done that too, and one additional point is related to exactly that: Using the same credentials (name and password) all over the place is a security risk. If some poorly administered forum gets cracked, an attacker might gain your credentials for many sites. (I don't know if you meant using the same password too, but in general people certainly do that a lot — for the simple reason that having to come up with new passwords for every damn site that requires registration is too much of a hassle!)
–
JonikAug 22 '09 at 23:04

2

@Cameron, who these days doesn't at least have either a yahoo or google account? Those two right there make up at least 90% of the internet.
–
priestcAug 22 '09 at 23:50

@Jonik: But the same could be said about your email password on a non-OpenID website. If someone gets your email password, they can use the "I forgot my password" links on websites that you visit and reset your password. So OpenID by itself does not pose any new security risk.
–
Sasha ChedygovAug 23 '09 at 1:23

Maybe it isn't worth the effort on the large scale (yet), but I am very reluctant when it comes to registering on the sites that do not support OpenID: coming up with yet another password, confirming email (which, sometimes, involves waiting for the email), etc. They basically lose me as a user unless I really have a good reason to register there.

But also keep in mind that OpenID is not only about single sign-on, it's the way to maintain your identity, to prove that you are who you claim to be. OpenID sign-on is great, but the ability to perform action on the site on your own behalf (e.g. leave a comment) without registering is even more important.

It's great not having to make too many user accounts all around. All those passwords.... then again, I far prefer a solution like 1Password for the Mac. OpenID is better for sites I'll return to than a separate username, though

Well the promise of OpenID is a single sign on for multiple websites. The issue is that it's still pretty obscure from a mass-market perspective. I personally would not implement it in a broad customer-facing application just yet.

In my latest application I give the users a choice. I think if you do offer OpenID it should be optional and the fact that it's optional needs be very clear to your users. I tested my signup with "average" users and they were very hesitant to sign in with their Yahoo, Facebook, Google, or what have you.

For users that do want to use OpenID, do it right. If there is additional information that your site requires and you can pull that info in along with their authentication token then do it.

I tested my signup with "average" users and they were very hesitant to sign in with their Yahoo, Facebook, Google, or what have you. I think this is an extremely good point. It's very important to consider the user's perspective. Most people on SO are power users. Most everyone else isn't. Providing the option is important to retaining and acquiring the average user.
–
zzzOct 4 '11 at 4:08

OpenId has been challenged because it is a new and unfamiliar concept. In many ways it should have been called "OpenPassword" because the main benefit is controlling a bunch of logins to many sites with a single password. However it is more than that because you specify one quantity and it says both who you are, and proves it.

I know some very experienced computer scientists who were completely thrown when introduced to the concept -- couldn't really see right away how it was secure like entering a password. Because it is called "OpenID" they thought it was just an unsecured name. I mention this because this challenge to understand is significant.

Facebook Connect is the exact same thing -- and it works simply because there are 1 billion people with Facebook accounts, and they tend to stay logged into Facebook all the time. What the facebook guys did well is the user interface, and those implementing OpenID need to take a lesson from that.

The second big mistake I see developers make is thinking that because login is handled some other place, that there is no need for a user profile either. That is incorrect. Each program using OpenId still needs to take responsibility of keeping information about the user EXCEPT for password. The password is the only piece of information that the relying site does not need to keep. Again, there is that "OpenPassword" silly idea again.

I think it is a GIVEN that OpenID will be successful once (1) the general public gets used to this idea of linking a login to another site and (2) OpenID implementors get the user interface right to avoid much of the complication.

I would agree with you that ease of use for your users is something to heavily consider. Your audience is another thing to consider. As OpenID becomes more accepted this will be less and less of an issue. If you are working on a project where you know the majority of your users will not even know what OpenID is then perhaps you should steer away from it.

Stackoverflow was my first intro into OpenID and I'm a geek.... I created the account after avoiding it for a few days and reading up on it. I finally jumped in but I would venture to say non-geek types would perhaps not. Now, I love the idea and would love to see it everywhere also.

If you can do both your own and OpenID, offer both. I think that would be the best of both worlds. You could point users to the goodness of OpenID but still let them go the other way. If you see a high adoption rate with OpenID you could eventually only offer it.

I'm loathe to distract the user with more options than absolutely required during the checkout process. Perhaps adding OpenID support for existing accounts only, accessible from somewhere else would work, but doesn't seem like a high priority to me.
–
EloffAug 22 '09 at 21:09

True. That is definitely a part of what should be considered.
–
klabrancheAug 22 '09 at 21:23

Always keep things consistent. OpenID is still in infancy and non-existent to most casual users. It will confuse users who are not familiar with it and they may even end up thinking that they're opting to 'Open' their IDs to the general public.

You can optionally embed a unobtrusive link on the sign up saying "Have an Open ID?". This way you, those familiar with it know to use it, those who aren't simply ignore it.

I have been finding more and more that if I'm required to pick a username, and my preferred one is already taken, I'll simply leave the site. At least one company has lost a sale this way, and I refuse to join Twitter. On the other hand, sites that use your email address as a username don't have quite the same problem. For me, it's a different problem: Which address did I give them?

The good news about OpenID is that a few major sites have found a way to make it easy for new users to figure out what's going on, by listing the icons of a few sites where they're likely to have accounts. Whether your average user will trust that method is still in question, though.

I feel it depends on the end users of your system. Open ID is successful in SO because people who are using SO knows some thing about Open ID.

But, I am not sure whether the same thing will be applicable to a Greeting card site / online shopping site where my parents go. The problem I see here is you give users a choice between various providers they will get confused.

One of the way I could think of for check out process is not to force a user signup. If they decide to simply check out let them do so.

I think most people who encounter StackOverflow still haven't heard of OpenID. I think StackOverflow demonstrates that OpenID as a login system is successful at teaching people what OpenID is.
–
Andrew ArnottAug 23 '09 at 2:39

Its easy to teach about OpenID to a tech person compared to a layman and so depending on the target users you may or may not want to implement Open ID
–
RameshAug 23 '09 at 15:02

Personally, I think the value of a well implemented 'lazy registration' concept is far more useful than the OpenId itself.

I already have so many accounts online I don't mind registering on new websites, but forcing me to sign in just to see what the service is about, or to complete an order, is very annoying with or without openid.